In most cases the lighter the touch the more effective the overall control.
The key points for a light touch are.
•Integrated Overlapping Business and IS controls
•Transparent Controls (Where possible)
–Both in ease of Audit
–And as seen (or not seen) from the users
•Leverage other (non Security) standards and controls
•Few or No Exceptions
•Little or No Emergency access
–both because there is no need
•Utilize and Integrate External resources (don’t stand alone)